In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.

We at SMF believe that this is nothing more than a coincidental, large scale, coordinated attack, possibly orchestrated using the recently updated version of Xrumer or a similar script or program used for spamming forums. Evidently one or more large bot herders have decided to exploit the market and has targeted their fleet towards spamming SMF forums. It is mere coincidence that this happened around the same time as the SMF 1.1.7 upgrade was released.

Why aren't SMF 2.0 forums being targeted?

Nobody knows, but we can speculate that it is due to SMF 2.0's improved functionality, or maybe there are minor differences between 1.1.x and 2.0 that confuse the bots. In either case if you are running 2.0 you should be on the watch for the attack spreading to SMF 2.0.

What can you do?

1.) Everybody should make sure that they are running the latest SMF 1.x or 2.x version. While the spam attacks are not related to security, you should take this occasion as a reminder to check out your security and make sure you have done everything you can to make your forum safe.

2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.

3.) Smaller forums may be able to switch from Member Activation to Member Approval and then may examine email addresses, IP addresses, etc. to decide which applications are human and which are spammers. This of course will result in more labor to operate your forum.

4.) You may decide to use post counts to restrict new members to posting a staging area, then give them full access only after they have shown they are human. The staging area can be easily swept of any spam debris.

5.) There are three modification packages that we believe can provide adequate defenses against spambots. I have verified that each of these packages is suitable for SMF 1.1.7. They are:

The last of the three replaces SMF's CAPTCHA system, but if you use one of the other mod packages make sure you have your CAPTCHA enabled. It won't hurt and it may help.

What won't work?

1.) Blaming it on SMF 1.1.7: As I explained above, the attacks are targeting all 1.1.x versions. It has nothing to do with the recent 1.1.7 release.

2.) Banning IP addresses: This is the Internet version of "Whack a Mole." They can create IP addresses and find proxies faster than you can ban them. This is useless in my opinion...

3.) Banning email addresses: Again, they can change them faster than you can ban them. I've never seen a human registration from mail.ru but some of the bots are using Gmail and other accounts. This is probably wasted effort unless you are manually verifying registrations.

4.) Hiding your SMF version: It's impossible for me to beleive that SMF 2.0 wasn't targeted only because the bots are searching for SMF 1.1.x strings. The target of SMF 2.0 would be too irrestible if there were not some other reason than the version tag.

Summary:

Well that's about it. My colleagues at SMF and I agree that there is no new problem with SMF's software, and that this is simply something that was going to eventually happen anyway. The only thing that changed is that some bot master tweaked and tuned his scripts for SMF 1.1.x. and so the attack has arrived this week.

Please take advantage of one or more of the steps that I've outlined above, and we believe that your spam attacks should stop. Be assured that if these measures don't work that either the developers or the mod package authors will come to your defense. Let's just all stay calm and collected, and one way or another we will beat the spambots. Unfortunately this will be an ongoing effort because each side is always going to be trying to upstage the other. Good luck!

We don't have any comparative reports of which mod works best yet. I suspect all work well unless we hear to the contrary. I think all you have to do is mess up the 'bots just slightly and their script will fail.

This topic welcomes comparative discussion on which is the best strategy to use. I've merely outlined the choices so that everybody can pick which works best for them.

Some of the mods are not yet rated by the authors as 1.1.7 compatible. Part of my work involved testing all three to make sure they work on 1.1.7. I didn't test them exhaustively, but they all install and remove and are able to register a new member with no error logs being generated. I tested for that.

BTW two of the mods are up for grabs if anybody wants to support them, karlbenson's mods. MC is still alive and well as of about 2 hours ago when I was chatting on him via IRC, so I think the reCAPTCHA mod is probably not up for grabs.

I just changed the registration setting to require admin approval, so that should surely stop these mo-fo's from spamming our forum. It's pretty easy to weed out the bots as their usernames and hostnames are all messed up looking, and most of these (in my forum at least) have their IPs showing up in non USA countries.